New Apple Trojan Means Mac Hunting Season Is Open

New Apple Trojan Means Mac Hunting Season Is Open
New Apple Trojan Means Mac Hunting Season Is Open 

By Ryan Singel

The Mac has officially gone mainstream.

The proof? On Halloween, professional online criminals were found using 
Trojan-horse software to target, for the first time, computers running 
Apple's OS X operating system -- just as they have been doing for years 
on the more ubiquitous flavors of Windows.

"Apple's day has finally come, and Apple users are going to get hit 
hard," security researcher Gadi Evron said. "OS X is the new Windows 

The Trojan comes disguised as a video-decoding plug-in that users are 
told they must install to watch free porn clips. Instead, the software 
burrows into the operating system and diverts some of the victim's 
future web surfing to sites under the attacker's control. It's the 
professional attack on Macs that the security community has long 
predicted, according to Dave Marcus, security research manager at 
McAfee's Avert Lab, who said it was "written by people who know how to 
write malware."

The arrival of the Mac Trojan signals that cybercrooks have decided 
there are finally enough Apple systems on the internet to make attacking 
them profitable, according to security experts. Apple is the nation's 
No. 3 desktop and laptop seller in the United States, behind Dell and 
Hewlett Packard. And this year, the Cupertino company accounted for an 
impressive 8.1 percent of the personal-computer market for the third 
quarter, up nearly two percentage points from the same period a year 
ago. Evron and other observers predict that black hats will have a field 
day with Macs, as well as with Apple's new mobile platforms.

"With 2 million iPhones and iPod Touches, it makes sense they will think 
of them as an evolving market to exploit, and there are a lot of new Mac 
users who aren't as savvy as Mac's earlier users," said CEO Alex 
Eckelberry of Sunbelt Software, which sells security software for 
Windows machines.

But Carl Howe, an Apple analyst at Blackfriars Communications, disputes 
the security researchers' theories. He thinks that OS X's Linux heritage 
makes Apple systems less vulnerable to attack than Windows-based 
platforms. He argues that even if hacking Macs hasn't been profitable in 
the past, attackers would have done it anyway if they'd been able -- 
just for the attention.

"I think the market-share thing has always been a myth," Howe said. 
"It's a good story to talk about."

Announced Wednesday by Mac-focused security company Intego, the Mac 
Trojan was found on a set of pornography sites, where attackers dangled 
free movies that supposedly required users to install a special 
Quicktime codec to view.

The codec, however, is fake. Instead of unlocking a skin flick, it 
installs what Intego dubbed the OSX.RSPlug.A Trojan horse on the user's 

Black-hat hackers have been using fake codecs for more than a year to 
trick Windows users into installing software. In this case, when the 
site serving the malware determines that a user is on a Mac, it delivers 
a Mac-specific version.

Once installed, the Trojan hijacks the system's domain-name service. 
Internet-connected applications use DNS to translate the domain part of 
an URL, such as, into the numeric IP address of a server. 
By hijacking the DNS, the attacker is able to replace search results 
with links to sites that he controls, in hopes of making money from 
online purchases, according to Eckelberry.

The software could also intercept intended visits to sites such as 
banks, eBay and PayPal and redirect them to fake websites that harvest 
users' logins and passwords. The scammers could then use that info to to 
get money out of the real sites, but neither Sunbelt nor McAfee 
researchers have seen the malware harvesting personal-finance info.

Unlike many Windows-based attacks, the Trojan doesn't exploit a hole in 
Apple's software, and it can't install itself. Instead, it relies on 
social engineering, tricking users into downloading the codec, and 
requiring that they type in the administrator password to install it.

But the fact that the hackers aren't attacking through software bugs 
doesn't change the portent of this week's attack, according to 
Eckelberry. "I don't care if you have to type in your admin password," 
Eckelberry said. "If you are asked to install a QuickTime plug-in, you 

For the past year, fake codecs have been among the top problems 
encountered by Windows users, according to Eckelberry. The attacks have 
gotten so professional-looking that the fake codecs even have fake, 
annoying end-license-user agreements that users have to agree to.

The Mac Trojan is created by the same malware crew that has been 
infecting Windows machines with the Trojans known as Zlob and 
DNSChanger, according to Eckelberry and Marcus.

Marcus said McAfee researchers have already found the Mac Trojan on 65 
websites. But he said the malware is not living up to its full 
potential: It only redirects users who attempt to visit one obscure 
adult website.

"Truthfully, this is kind of strange," said Marcus. "If you are going to 
mess with someone's DNS, I would have done far more fake DNS entries. I 
have a sneaking suspicion is that word got out before they wanted it to, 
but that's just an educated guess."

Evron sees more problems for Apple users than just new Trojans that try 
to trick users. Hackers will find it profitable and all too easy to find 
holes in Apple software, because the company hasn't paid sufficient 
attention to security, said Evron.

He predicts Apple will experience a full-range of attacks, just as 
Microsoft did a decade ago when Windows machines and the internet first 

"It's Mac season. The next two years will be interesting."


Staff writer David Kravets contributed to this story.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 

Site design & layout copyright © 1986-2014 CodeGods